> scootoure (Viewer) mentioned you in a post! Join the conversation below: > This access controls concept is something that I am finding extremely > confusing due to the mixed information across ...
View more
> scootoure (Viewer) mentioned you in a post! Join the conversation below: > This access controls concept is something that I am finding extremely > confusing due to the mixed information across resources. Sybex Official Study > Guide Edition 8, specifically separates Rule-Based Access control from > Discretionary Access control (p.628) stating each is 1 of the 5 access control > models. OK, in this, at least, the Sybex Official Study Guide Edition 8 is dead wrong. Rule Based Access Control (RBAC) and Role Based Access Control (again, possibly confusingly, RBAC) are orthogonal to mandatory and discretionary access control. Mandatory access control can be either rule or role based (or both), and so can discretionary. > However, the Desitination Certification video > (https://www.youtube.com/watch?v=BUcoABZzeQ4&list=PLZKdGEfEyJhKWyryIvx_jm1jn6ZMT > i7gW&index=16) explicitly states that both Rule-Based and Role-Based Access > Controls are Discretionary and mentions in the comments that everyone else that > says otherwise is incorrect. And the Desitination Certification video (and attendant comments) is (are) wrong. Rule-Based Access Control simply uses rules to decide access. Role-Based Access Control assigns and manages people and access on the basis of jobs. They aren't mutually contradictory, as mandatory and discretionary access control are. > Can you provide insight into why your logic > contradicts the Sybex official study guide. Because Sybex is wrong. > What should I follow? Me. I'm an information scientist. I know everything 🙂 For example, I know that the original paper presenting role based access control *assumed* that it would be used in mandatory access control systems, and only in them. But there was no inherent reason for that, and, these days, we mostly use it in discretionary access control systems (since there aren't that many mandatory access control systems around). ====================== rslade@gmail.com rmslade@outlook.com rslade@computercrime.org "If you do buy a computer, don't turn it on." - Richards' 2nd Law "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 "Viruses Revealed" 0-07-213090-3 "Software Forensics" 0-07-142804-6 "Dictionary of Information Security" Syngress 1-59749-115-2 "Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9 ============= for back issues: [Base URL] site http://victoria.tc.ca/techrev/ CISSP refs: [Base URL]mnbksccd.htm PC Security: [Base URL]mnvrrvsc.htm Security Dict.: [Base URL]secgloss.htm Security Educ.: [Base URL]comseced.htm Book reviews: [Base URL]mnbk.htm [Base URL]review.htm Partial/recent: http://groups.yahoo.com/group/techbooks/ http://en.wikipedia.org/wiki/Robert_Slade https://is.gd/RotlWB http://twitter.com/rslade http://blogs.securiteam.com/index.php/archives/author/p1/